SSO for Oracle Cloud Services Setup + Groups Configuration
Aqua Supports SAML 2.0 login.
To enable SAML, support will request several pieces of information from you.
We will then enable SAML for a single user within your account so that no one loses access, allow you to test the configuration end-to-end, and then enable it for all of your users.
We have documentation for our general SAML configuration.
Here we will specifically show you the configuration on the side of Oracle Cloud Service Setup:
SAML Setup
Step 1:
Create a SAML Application
To begin enabling SAML, you must first create a new application for the Aqua in your SAML provider.
| Assertion Consumer URL | https://cloudsploit.auth.us-east-1.amazoncognito.com/saml2/idpresponse | ||||||||||
| EntityID | urn:amazon:cognito:sp:us-east-1_voZ9dTvpW | ||||||||||
| NameID Format | Email Address | ||||||||||
| NameID Value | Primary Email | ||||||||||
| Identity Claim | http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress | ||||||||||
| Required Attributes |
| ||||||||||
| Signin / Signout URL Application URL/ Relay state | https://cloud.aquasec.com/sso |
Here is where it should be placed in Oracle:
Step 2: Generate an XML file or link
After you have created your SAML application, you will need to provide your application information to Aqua support. This can either be in the form of an exported XML metadata file, or a link to an XML metadata endpoint. You can validate your XML file using an online SAML XML validator.
Step 3: Initiating the SAML Setup
Once you have collected the above information and configured your application, please contact Aqua support and provide the following information:
- Your XML file or XML metadata endpoint
- The domains you'd like to allow to authenticate with your account. Aqua can support an unlimited number of domains.
- Whether you would like to enforce SAML login for all users in your account (if yes, existing usernames/passwords will no longer work and SAML will be enforced for all new and existing users).
- Whether you would like to enable just-in-time provisioning of user accounts (if yes, new users will be added to the "Default" groups).
- Which user (email address) you'd like to use to test the configuration before enabling it globally.
Step 4: Test the SAML setup
Once support confirms receipt of the above, we will enable SAML for your account, but only apply it to the user you specify. This is done to prevent incorrect SAML configurations from locking out all other users in your account.
Support will then ask you to confirm the workflow by testing a SAML sign-in. If everything succeeds, we will then enable it for all other users.
Step 5:
Next Steps
- Aqua supports several advanced SAML features you may wish to enable.
- Share the new SAML sign-in link with your users: https://cloud.aquasec.com/sso
Step 6: Optional
Setting Up Groups with Aqua and Oracle
To set up Groups within Oracle you nee to add two extra 'Attribute Configuration'.
| Name | Format | Type | Value | Condition |
| http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress | Basic | User Attribute | Primary email | |
| groups | Basic | User Attribute | Group Membership | All Groups |
| cspmgroups | Basic | User Attribute | Group Membership | All Groups |
Did you find it helpful? Yes No
Send feedback